DOS1130

Pipeline Settings - Enforce access to repositories in YAML pipelines.

DOS1130

AzureDevOps organization critical builtIn

Description

Protect access to repositories in YAML pipelines. Restricts the scope of access for all pipelines to only repositories explicitly referenced by the pipeline. Apply checks and approvals when accessing repositories from YAML pipelines. Also, generate a job access token that is scoped to repositories that are explicitly referenced in the YAML pipeline. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens#protect-access-to-repositories-in-yaml-pipelines https://devblogs.microsoft.com/devops/pipeline-stealing-another-repo/

Recommendation

1. Go to Organization Settings. 
2. Click on Pipelines -> Settings. 
3. Turn 'On' the setting 'Protect access to repositories in YAML pipelines'.

Policy Rule

{
  "target": "ADOOrganizationPipelineSettings",
  "if": {
    "allOf": [
      {
        "resource": "ADOOrganizationPipelineSettings",
        "property": "EnforceReferencedRepoScopedToken",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS1120 DOS1140 »
Rule Details
  • Rule ID: DOS1130
  • Code: ADO_Organization_Pipeline_Settings_Limit_Pipeline_Scope_To_Referenced_Repos
  • Platform: AzureDevOps
  • Category: organization
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions